A very long time ago, I used to be an auditor. Some of the more interesting audits I got to do, was when I had to audit Credit Card Manufacturing Bureaus.
When you order a new credit card from your bank, your bank sends your details to these Credit Card Manufacturing Bureaus, and they create the actual physical card with your details on it.
As you can imagine, the security requirements on these bureaus are immense - they are basically printing money!
On one such audit, I was doing a perimeter walk with the Security Manager of the bureau I was auditing. The purpose of a perimeter walk was to check there were physical security controls in place to ensure some ne'er-do-well can’t easily slip in and steal some credit cards.
I was just about to tell the Security Manager that we can turn back and go have some lunch, when out of the corner of my eye I spotted an old filing cabinet standing in the corner of the property…which I thought was odd. Why is a filing cabinet standing outside?
The Security Manager explained that they had an office clearing of old furniture, and it is just an old cabinet that hasn't gotten picked up by the trash collectors yet.
The O.C.D. part of my brain had to double check what was in that filing cabinet, even though the pragmatic part of my brain was telling me there is very little chance of anything of concern being in the cabinet.
So I walked over to the cabinet to pull open one of the drawers.
It wasn’t locked…
I looked inside and saw a bunch of papers in the drawer…I took one, and saw it was a photocopy of a credit card. With the full details of the credit card clear to see.
The Security Manager’s jaw dropped. His eyes went so big I was worried he might be having a heart-attack!
I checked a few more pages of paper…they were all photocopies of credit cards!
Turns out, these were photocopies of cards that were destroyed and the photocopies were part of the record-keeping process.
The Security Manager was a bit quiet during lunch….
What stayed with me about that day wasn’t the shock on the Security Manager’s face (although that was memorable).
It was how normal it all felt up until that drawer opened.
This was a facility with serious security. Guards. Cameras. Access controls. Procedures. You could feel the weight of compliance the moment you walked in. This was not some sloppy back-office operation. These were professionals. They were printing money.
And yet, there it was.
A metal filing cabinet.
Outside.
Unlocked.
Full of photocopies of credit cards.
Not because anyone was malicious.
Not because someone had bypassed controls.
Not because of a sophisticated attack.
But because somewhere along the line, the paperwork stopped being “credit card data” and became “old files.”
That’s the part that matters.
We spend so much time in information security thinking about the digital world. Firewalls. Encryption. MFA. Zero trust. Cloud posture management. We worry about misconfigured storage buckets and ransomware gangs.
Meanwhile, sometimes the real risk is sitting in a drawer next to the parking lot.
It’s easy to forget that information doesn’t become less sensitive just because it’s on paper. Or because the primary asset, in this case the physical card, was destroyed. The photocopy still carried the same risk. Full card number. Expiry date. Everything you would need.
Information is information.
And the lifecycle matters just as much as the protection.
Creation.
Use.
Storage.
Destruction.
If any one of those steps breaks down, the whole chain breaks.
What struck me most is that this wasn’t a perimeter failure. The fence was fine. The guards were fine. The cameras were fine.
It was a lifecycle failure.
A governance failure.
No one asked the simple question during the office clear-out: “What’s actually inside this cabinet?”
Security doesn’t usually fail in dramatic Hollywood fashion. It fails in quiet, ordinary moments. During clean-ups. During moves. During “we’ll sort that out later.”
It fails when something sensitive stops feeling sensitive.
That old filing cabinet was a reminder I’ve carried with me ever since:
The biggest risks are often hiding in plain sight.
And sometimes, the most important control is curiosity.
Remember - trust by verify.
Have you seen some bizarre control failures? If so, what were they?